DRIP: A framework for purifying trojaned kernel drivers

Gu, Zhongshu; Sumner, William N.; Deng, Zhui; Zhang, Xiangyu; Xu, Dongyan

doi:10.1109/dsn.2013.6575342

Cited by 7 publications

(3 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Several researchers have proposed a kernel reduction approach that automatically generates compiletime configurations based on expected workloads [44], [50]. DRIP [37] eliminates malicious logic from a trojaned kernel driver by iteratively trimming away unnecessary code from the based on off-line profiling. Besides these off-line kernel reduction works, kRazor [43] is an OS mechanism that restricts accesses to kernel code from user-level applications based on run-time profiling of workloads.…”

Section: Related Workmentioning

confidence: 99%

Securing Real-Time Microcontroller Systems through Customized Memory View Switching

Kim

Choi

et al. 2018

Proceedings 2018 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

Real-time microcontrollers have been widely adopted in cyber-physical systems that require both real-time and security guarantees. Unfortunately, security is sometimes traded for real-time performance in such systems. Notably, memory isolation, which is one of the most established security features in modern computer systems, is typically not available in many real-time microcontroller systems due to its negative impacts on performance and violation of real-time constraints. As such, the memory space of these systems has created an open, monolithic attack surface that attackers can target to subvert the entire systems. In this paper, we present MINION, a security architecture that intends to virtually partition the memory space and enforce memory access control of a real-time microcontroller. MINION can automatically identify the reachable memory regions of realtime processes through off-line static analysis on the system's firmware and conduct run-time memory access control through hardware-based enforcement. Our evaluation results demonstrate that, by significantly reducing the memory space that each process can access, MINION can effectively protect a microcontroller from various attacks that were previously viable. In addition, unlike conventional memory isolation mechanisms that might incur substantial performance overhead, the lightweight design of MINION is able to maintain the real-time properties of the microcontroller.

show abstract

Section: Related Workmentioning

confidence: 99%

Securing Real-Time Microcontroller Systems through Customized Memory View Switching

Kim

Choi

et al. 2018

Proceedings 2018 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

show abstract

“…Kernel Monitoring: Kernel monitoring helps to understand the exact execution of the whole system. DRIP [20] is a framework for purifying trojaned kernel drivers. It records all kernel API invocations from the driver to the kernel, aim at eliminating malicious effects from the driver.…”

Section: Related Workmentioning

confidence: 99%

HProve: A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware

Wang¹,

Yin²,

Li³

et al. 2019

ICST Transactions on Security and Safety

View full text Add to dashboard Cite

Provenance of system subjects (e.g., processes) and objects (e.g., files) are very useful for many forensics tasks. In our analysis and comparison of existing Linux provenance tracing systems, we found that most systems assume the Linux kernel to be in the trust base, making these systems vulnerable to kernel level malware. To address this problem, we present HProve, a hypervisor level provenance tracing system to reconstruct kernel malware attack story. It monitors the execution of kernel functions and sensitive objects, and correlates the system subjects and objects to form the causality dependencies for the attacks. We evaluated our prototype on 12 real world kernel malware samples, and the results show that it can correctly identify the provenance behaviors of the kernel malware with a minor performance overhead.

show abstract

“…Kurmus et al [1] proposed a kernel reduction approach which automatically generates kernel build configurations based on profiling results of expected workloads. DRIP [18] is an offline approach to purify trojaned kernel drivers via binary rewriting. It leverages a functional test suite to profile a driver and reserve the minimal required set of kernel function invocations.…”

Section: A Kernel Minimizationmentioning

confidence: 99%

FACE-CHANGE: Application-Driven Dynamic Kernel View Switching in a Virtual Machine

Saltaformaggio

Zhang

et al. 2014

2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks

Self Cite

View full text Add to dashboard Cite

Kernel minimization has already been established as a practical approach to reducing the trusted computing base. Existing solutions have largely focused on whole-system profiling -generating a globally minimum kernel image that is being shared by all applications. However, since different applications use only part of the kernel's code base, the minimized kernel still includes an unnecessarily large attack surface. Furthermore, once the static minimized kernel is generated, it is not flexible enough to adapt to an altered execution environment (e.g., new workload). FACE-CHANGE is a virtualization-based system to facilitate dynamic switching at runtime among multiple minimized kernels, each customized for an individual application. Based on precedent profiling results, FACE-CHANGE transparently presents a customized kernel view for each application to confine its reachability of kernel code. In the event that the application exceeds this boundary, FACE-CHANGE is able to recover the missing code and backtrace its attack/exception provenance to analyze the anomalous behavior.

show abstract

DRIP: A framework for purifying trojaned kernel drivers

Cited by 7 publications

References 15 publications

Securing Real-Time Microcontroller Systems through Customized Memory View Switching

Securing Real-Time Microcontroller Systems through Customized Memory View Switching

HProve: A Hypervisor Level Provenance System to Reconstruct Attack Story Caused by Kernel Malware

FACE-CHANGE: Application-Driven Dynamic Kernel View Switching in a Virtual Machine

Contact Info

Product

Resources

About